Skip to content

Draft: Document GitLab Pages automatically added as trusted application

Mark Florian requested to merge markrian-master-patch-99803 into master

What does this MR do?

This MR attempts to document the fact that GitLab Pages can appear as a trusted application in https://gitlab.com/-/profile/applications, even though the user didn't authorise it directly themselves.

There was n internal discussion that lead to this:

@markrian I spotted that I did have a GitLab Pages app, which was authorised about an hour ago. I definitely didn't authorise anything in the last hour. As a precaution, I revoked it, but I have no idea how it got there. Is it perhaps just how GitLab Pages works, or something...?

@lienvdsteen same for me! also revoked it and i was like oh no was this a test by security to see if I would just click any link (edited)

@joernchen AFAIK the Gitlab pages app is used internally to grant access to protected pages sites. It should be a trusted application which will not show the authorization step but automatically approve

@joernchen https://docs.gitlab.com/ee/integration/oauth_provider.html#instance-wide-applications < see here

@markrian Well, that's a relief! Still, it's a little bit scary. Should this be documented explicitly, perhaps? That is, that GitLab has some hard-coded, pre-trusted apps, like GitLab Pages? (edited)

@joernchen Good point. I think the most usable thing would be section somewhere under https://gitlab.com/help/instance_configuration to show the trusted oauth apps

Notes

This general problem is already discussed to some degree in #229792 and #8081.

It was initially suggested by @joernchen to document this in https://gitlab.com/help/instance_configuration#gitlab-pages, but looking further into this, I'm not sure that's the right place, since trusting GitLab Pages seems to be dynamic, per-user behaviour rather instance-wide.

As far as I can tell, there's one brief mention of a possible link between GitLab Pages and trusted applications.

Screenshots (strongly suggested)

n/a

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Mark Florian

Merge request reports

Loading